diff --git a/backend/library/libraries/croe-for-fmi.yaml b/backend/library/libraries/croe-for-fmi.yaml new file mode 100644 index 000000000..17c60e49b --- /dev/null +++ b/backend/library/libraries/croe-for-fmi.yaml @@ -0,0 +1,4235 @@ +urn: urn:intuitem:risk:library:croe-for-fmi +locale: en +ref_id: CROE-for-FMI +name: Cyber resilience oversight expectations for financial market infrastructures +description: "The cyber resilience oversight expectations (CROE) serves the following\ + \ three key purposes: \n(i) it provides FMIs with detailed steps on how to operationalise\ + \ the Guidance, ensuring they are able to foster improvements and enhance their\ + \ cyber resilience over a sustained period of time; \n(ii) it provides overseers\ + \ with clear expectations to assess the FMIs for which they are responsible;and\ + \ \n(iii) it provides the basis for a meaningful discussion between the FMIs and\ + \ their respective overseers.\n\nHere is the link to the document :\nhttps://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf" +copyright: ECB-PUBLIC +version: 1 +provider: EUROPEAN CENTRAL BANK +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:croe-for-fmi + ref_id: CROE-for-FMI + name: Cyber resilience oversight expectations for financial market infrastructures + description: "The cyber resilience oversight expectations (CROE) serves the following\ + \ three key purposes: \n(i) it provides FMIs with detailed steps on how to operationalise\ + \ the Guidance, ensuring they are able to foster improvements and enhance their\ + \ cyber resilience over a sustained period of time; \n(ii) it provides overseers\ + \ with clear expectations to assess the FMIs for which they are responsible;and\ + \ \n(iii) it provides the basis for a meaningful discussion between the FMIs\ + \ and their respective overseers.\n\nHere is the link to the document :\nhttps://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/Cyber_resilience_oversight_expectations_for_financial_market_infrastructures.pdf" + implementation_groups_definition: + - ref_id: EVOLVING + name: EVOLVING + description: 'Essential capabilities are established, evolve and are sustained + across the + + FMI to identify, manage and mitigate cyber risks, in alignment with the cyber + resilience + + strategy and framework approved by the Board. Performance of practices is + + monitored and managed.' + - ref_id: ADVANCING + name: ADVANCING + description: "In addition to meeting the evolving level\u2019s requirements,\ + \ practices at this\nlevel involve implementing more advanced tools (e.g.\ + \ advanced technology and risk\nmanagement tools) that are integrated across\ + \ the FMI\u2019s business lines and have been\nimproved over time to proactively\ + \ manage cyber risks posed to the FMI." + - ref_id: INNOVATING + name: INNOVATING + description: "In addition to meeting the evolving and advancing levels\u2019\ + \ requirements,\ncapabilities across the FMI are enhanced as needed within\ + \ the rapidly evolving cyber\nthreat landscape, in order to strengthen the\ + \ FMI\u2019s cyber resilience and its ecosystem\nand by proactively collaborating\ + \ with its external stakeholders. This level involves\ndriving innovation\ + \ in people, processes and technology for the FMI and the wider\necosystem\ + \ to manage cyber risks and enhance cyber resilience. This may call for new\n\ + controls and tools to be developed or new information-sharing groups to be\ + \ created." + requirement_nodes: + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2 + assessable: false + depth: 1 + ref_id: '2' + name: Cyber resilience oversight expectations + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2 + ref_id: '2.1' + name: Governance + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1 + ref_id: 2.1.1 + name: Preamble + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node5 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.1 + description: "Cyber governance refers to the arrangements an FMI has put in\ + \ place to establish, implement and review its approach to managing cyber\ + \ risks. Effective cyber governance should start with a clear and comprehensive\ + \ cyber resilience framework that prioritises the security and efficiency\ + \ of the FMI\u2019s operations, and supports financial stability objectives.\ + \ The framework should be guided by an FMI\u2019s cyber resilience strategy,\ + \ define how the FMI\u2019s cyber resilience objectives are determined, and\ + \ outline its people, processes and technology requirements for managing cyber\ + \ risks and timely communication in order to enable an FMI to collaborate\ + \ with relevant stakeholders to effectively respond to and recover from cyber\ + \ attacks. It is essential that the framework is supported by clearly defined\ + \ roles and responsibilities of the FMI\u2019s Board (or equivalent) and its\ + \ management, and it is incumbent upon its Board and management to create\ + \ a culture which recognises that staff at all levels have important responsibilities\ + \ in ensuring the FMI\u2019s cyber resilience." + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node6 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.1 + description: "Strong cyber governance is essential to an FMI\u2019s implementation\ + \ of a systematic and proactive approach to managing the prevailing and emerging\ + \ cyber threats that it faces. It also supports efforts to appropriately consider\ + \ and manage cyber risks at all levels within the organisation and to provide\ + \ appropriate resources and expertise to deal with these risks. This chapter\ + \ provides guidance on what basic elements an FMI\u2019s cyber resilience\ + \ framework should include and how an FMI\u2019s governance arrangements should\ + \ support that framework." + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1 + ref_id: 2.1.2 + name: Expectations + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2 + ref_id: 2.1.2.1 + name: Cyber resilience strategy and framework + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node9 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1 + name: 'Cyber resilience strategy:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node9 + ref_id: 2.1.2.1-1 + description: 'The FMI should establish an internal, cross-disciplinary steering + committee comprised of senior management and appropriate staff (employees + and/or contractors) from multiple business units (e.g. business, finance, + risk management, internal audit, operations, cybersecurity, information technology + (IT), communications, legal and human resources, some of which may be external), + to collectively develop a cyber resilience strategy and framework. The steering + committee should provide multiple views and perspectives to ensure that the + cyber resilience strategy and framework is holistic and focuses on all elements + related to people, processes and technology. Among other things, the steering + committee should:' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1 + ref_id: 2.1.2.1-1.a + description: "evaluate and prioritise internal and external stakeholders\u2019\ + \ needs and expectations, deciding on the overall requirements from cyber\ + \ resilience;" + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1 + ref_id: 2.1.2.1-1.b + description: provide direction to senior management on what cyber resilience + should achieve; + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1 + ref_id: 2.1.2.1-1.c + description: define who makes cyber resilience decisions and how those decisions + should be made; + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1 + ref_id: 2.1.2.1-1.d + description: "consider the FMI\u2019s risk landscape and risk tolerance when\ + \ defining how cyber risks should be addressed;" + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1 + ref_id: 2.1.2.1-1.e + description: evaluate how the different business units are impacted and can + work together in an integrated manner to achieve enterprise-wide outcomes; + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-1 + ref_id: 2.1.2.1-1.f + description: consider how to monitor the performance and outcomes of cyber resilience + and intervene if necessary to ensure that the specified direction is followed. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node9 + ref_id: 2.1.2.1-2 + description: Based on the above reflections, the FMI should document its cyber + resilience strategy. The FMI should ensure that the following aspects are + considered and included in the strategy. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.a + description: The importance of cyber resilience to the FMI and its key stakeholders. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.b + description: "Internal and external stakeholders\u2019 high-level requirements,\ + \ so that these can be taken into account when defining cyber resilience governance\ + \ and goals for cyber resilience management. Some common categories of stakeholders\ + \ that may be considered include: owners and investors, customers and clients,\ + \ suppliers, employees, legal and regulatory authorities, and competitors\ + \ and industry bodies." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.c + description: "The FMI\u2019s vision and mission in relation to cyber resilience." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.d + description: "The cyber resilience objectives that the FMI will work towards,\ + \ which should include ensuring the ongoing efficiency, effectiveness and\ + \ economic viability of its services to its users and maintaining and promoting\ + \ the FMI\u2019s ability to anticipate, withstand, contain and recover from\ + \ cyber attacks." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.e + description: "The FMI\u2019s cyber risk appetite, to ensure that it remains\ + \ consistent with the FMI\u2019s risk tolerance, as well as with the FMI\u2019\ + s overall business objectives and corporate strategy." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.f + description: "Clear and credible cyber maturity targets and a roadmap or implementation\ + \ plan with change delivery and planning of capabilities relating to people,\ + \ processes and technology at pace with threats and proportionate to the FMI\u2019\ + s size and criticality. The strategy should clearly set out how this roadmap\ + \ or implementation plan will be delivered and how the Board should track\ + \ and monitor delivery." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.g + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.g + description: The high-level scope of technology and assets which will be used + to manage cyber resilience. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.h + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.h + description: The interactions with other participants, FMIs and third parties, + on areas such as information sharing. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.i + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.i + description: The governance necessary to enable cyber resilience to be designed, + transitioned, operated and improved. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.j + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.j + description: How cyber resilience initiatives will be delivered, managed and + funded, including the budgeting process and organisational capabilities. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2.k + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-2 + ref_id: 2.1.2.1-2.k + description: How cyber resilience will be integrated into all aspects of the + FMI, which includes people, processes, technology and new business initiatives. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node9 + ref_id: 2.1.2.1-3 + description: The FMI should ensure that the cyber resilience strategy is aligned + to its corporate strategy and other relevant strategies (e.g. enterprise risk + management, operational risk and IT). + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node9 + ref_id: 2.1.2.1-4 + description: "The FMI\u2019s Board should approve the cyber resilience strategy,\ + \ and should ensure that it is regularly reviewed and updated according to\ + \ the FMI\u2019s threat landscape." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node9 + ref_id: 2.1.2.1-5 + description: "The Board should be kept regularly informed of the FMI\u2019s\ + \ cyber risk and ensure consistency with the FMI\u2019s risk tolerance and\ + \ appetite, so that it can achieve the FMI\u2019s overall business objectives\ + \ and corporate strategy." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node32 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1 + name: 'Cyber resilience framework:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-6 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32 + ref_id: 2.1.2.1-6 + description: The FMI should have a cyber resilience framework that clearly sets + out how it determines its cyber resilience objectives and risk tolerance, + as well as how it effectively identifies, mitigates, and manages its cyber + risks to support its objectives. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-7 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32 + ref_id: 2.1.2.1-7 + description: "The FMI\u2019s cyber resilience framework should systematically\ + \ incorporate the requirements (i.e. policies, procedures and controls) related\ + \ to governance, identification, protection, detection, response and recovery,\ + \ testing, situational awareness, and learning and evolving." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-8 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32 + ref_id: 2.1.2.1-8 + description: The FMI should use leading international, national and industry-level + standards, guidelines or recommendations (e.g. NIST, COBIT 5 and ISO/IEC 27000, + etc.), reflecting current industry best practices in managing cyber threats, + as a benchmark for designing its cyber resilience framework and incorporating + the most effective cyber resilience solutions. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-9 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32 + ref_id: 2.1.2.1-9 + description: "At the broader level, the FMI\u2019s cyber resilience framework\ + \ should be consistent with its enterprise risk management framework." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-10 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32 + ref_id: 2.1.2.1-10 + description: "The FMI\u2019s Board should endorse this cyber resilience framework,\ + \ ensuring it is aligned with the FMI\u2019s formulated cyber resilience strategy,\ + \ review it at least annually and update it when needed to ensure that it\ + \ remains relevant." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node32 + ref_id: 2.1.2.1-11 + description: "The FMI\u2019s cyber resilience framework should clearly define\ + \ the roles and responsibilities, including accountability for decision-making\ + \ within the organisation, for identifying, mitigating and managing cyber\ + \ risk." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node39 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1 + name: 'Cyber resilience strategy and framework:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node39 + ref_id: 2.1.2.1-12 + description: The FMI should use maturity models and define relevant metrics + to assess and measure the adequacy and effectiveness of and adherence to its + cyber resilience framework through independent compliance programmes and audits + carried out by qualified staff on a regular basis. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node39 + ref_id: 2.1.2.1-13 + description: 'The FMI should ensure that, as part of its formal process to review + and update its cyber resilience strategy and framework (including all policies, + procedures and controls), a number of factors are considered, such as:' + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13 + ref_id: 2.1.2.1-13.a + description: the current and evolving cyber threats (e.g. those associated with + the supply chain, use of cloud services, social networking, mobile applications + and the internet of things, etc.); + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13 + ref_id: 2.1.2.1-13.b + description: threat intelligence on threat actors and new tactics, techniques + and procedures which may specifically impact the FMI; + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13 + ref_id: 2.1.2.1-13.c + description: "the results of risk assessments of the FMI\u2019s critical functions,\ + \ key roles, processes, information assets, third-party service providers\ + \ and interconnections;" + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13 + ref_id: 2.1.2.1-13.d + description: actual cyber incidents that have impacted the FMI directly or external + cyber incidents from the ecosystem; + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.e + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13 + ref_id: 2.1.2.1-13.e + description: lessons learned from audits and tests on the cyber resilience framework; + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.f + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13 + ref_id: 2.1.2.1-13.f + description: "the FMI\u2019s performance against the relevant metrics and maturity\ + \ models;" + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13.g + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-13 + ref_id: 2.1.2.1-13.g + description: new business developments and future strategic objectives. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node39 + ref_id: 2.1.2.1-14 + description: "The FMI\u2019s cyber resilience strategy and framework should\ + \ consider how the FMI would continuously review and proactively identify,\ + \ mitigate and manage the cyber risks that it bears from and poses to its\ + \ participants, other FMIs, vendors, vendor products and its service providers,\ + \ which are collectively referred to as an FMI\u2019s ecosystem." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node50 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1 + name: 'Cyber resilience strategy and framework:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node50 + ref_id: 2.1.2.1-15 + description: "The cyber resilience strategy should outline the FMI\u2019s future\ + \ state of cyber resilience, in terms of maturity and/or risk, with short\ + \ and long-term perspectives, and senior management should continuously improve\ + \ and adapt the existing cyber resilience strategy and framework as the desired\ + \ maturity level and/or risk landscape changes." + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.1-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node50 + ref_id: 2.1.2.1-16 + description: "The FMI should establish the appropriate structures, processes\ + \ and relationships with the key stakeholders in the ecosystem to continuously\ + \ and proactively enhance the ecosystem\u2019s cyber resilience and promote\ + \ financial stability objectives as a whole." + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2 + ref_id: 2.1.2.2 + name: Role of the Board and senior management + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node54 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2 + name: 'Board and management responsibilities:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54 + ref_id: 2.1.2.2-17 + description: "The FMI\u2019s Board should be responsible for approving the cyber\ + \ resilience strategy and framework, setting the FMI\u2019s risk tolerance\ + \ for cyber risks and closely overseeing the FMI's implementation of its cyber\ + \ resilience framework and the policies, procedures and controls that support\ + \ it." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54 + ref_id: 2.1.2.2-18 + description: "In order to carry out the aforementioned responsibilities, the\ + \ FMI\u2019s Board should ensure that it collectively possesses the appropriate\ + \ balance of skills, knowledge and experience to understand and assess the\ + \ cyber risks facing the FMI. It should also be sufficiently informed and\ + \ capable of credibly challenging the recommendations and decisions of designated\ + \ senior management. Although the Board should collectively increase its skills\ + \ and knowledge on cybersecurity, it can also access specific expertise through\ + \ a Board member with adequate experience, or through experienced staff and/or\ + \ external independent organisation(s) reporting to and advising the Board." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54 + ref_id: 2.1.2.2-19 + description: The Board and senior management should ensure that a senior executive + (e.g. the CISO) is responsible and accountable for implementing the cyber + resilience strategy and framework at the enterprise level. The Senior Executive + should be independent, possess the appropriate balance of skills, knowledge + and experience, and have sufficient resources and direct access to the Board. + For further clarification on the possible roles and responsibilities of such + a senior executive, see Annex 3. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54 + ref_id: 2.1.2.2-20 + description: The Board and senior management should ensure that staff (including + senior management) who are responsible for cyber activities have suitable + skills, knowledge and experience, and are sufficiently informed and empowered + to make timely decisions. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54 + ref_id: 2.1.2.2-21 + description: "The Board and senior management should ensure that cyber risk,\ + \ implementation of the cyber resilience framework and any associated issues\ + \ appear regularly on the Board\u2019s meeting agenda. Boards should have\ + \ adequate access to cybersecurity expertise (whether internal or external),\ + \ and discussions about cyber risk management should be given adequate time\ + \ on the Board\u2019s meeting agenda." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54 + ref_id: 2.1.2.2-22 + description: Senior management should regularly provide a written report to + the Board on the overall status of its cyber resilience programme and keys + risks and issues. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node54 + ref_id: 2.1.2.2-23 + description: "As part of the Board\u2019s updates, senior management should\ + \ provide their budgeting and forecasting activities plan for ongoing and\ + \ future resource needs to ensure cyber resilience objectives are continually\ + \ achieved." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node62 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2 + name: 'Culture:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node62 + ref_id: 2.1.2.2-24 + description: "The Board and senior management should cultivate a strong level\ + \ of awareness of and commitment to cyber resilience. To that end, an FMI\u2019\ + s Board and senior management should promote a culture that recognises that\ + \ staff at all levels have important responsibilities for ensuring the FMI\u2019\ + s cyber resilience, and lead by example." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node62 + ref_id: 2.1.2.2-25 + description: "The Board and senior management should ensure that behavioural\ + \ and cultural change is nurtured and conveyed through leadership and vision,\ + \ with clear and effective messages such as cyber resilience is everyone\u2019\ + s duty. This could be executed throughout the FMI, possibly built into charters,\ + \ vision statements and mandates from senior management, or through cyber\ + \ awareness campaigns." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node62 + ref_id: 2.1.2.2-26 + description: Senior management should ensure that situational awareness materials + are made available to relevant employees when prompted by highly visible cyber + incidents, changes to the threat landscape and the impacts of these threats + to the FMI, or by regulatory alerts. For example, the FMI could send internal + emails about cyber events or post articles on its intranet site. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node66 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2 + name: 'Skills and accountability:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node66 + ref_id: 2.1.2.2-27 + description: "Senior management should ensure that it has a programme for continuing\ + \ cyber resilience training and skills development for all staff. This training\ + \ programme should include the Board members and senior management and should\ + \ be conducted at least annually. The annual cyber resilience training should\ + \ include incident response, current cyber threats (e.g. threats, threat actors\ + \ and vulnerabilities), tactics and techniques (e.g. phishing, spear phishing,\ + \ social engineering and mobile security) and emerging issues, according to\ + \ staff members\u2019 levels of responsibility and the risks associated with\ + \ their respective roles." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node66 + ref_id: 2.1.2.2-28 + description: Senior management should ensure that employees and contractors + with privileged account permissions and/or access to sensitive assets and + information, receive additional cyber resilience training commensurate with + their levels of responsibility, and that business units are provided with + cyber resilience training relevant to their criticality to the business. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node66 + ref_id: 2.1.2.2-29 + description: In order to implement the cyber resilience strategy and framework, + senior management should ensure that it identifies the competencies, skills + and resources required. Senior management could adopt well-known skills frameworks, + such as the European e-Competence Framework (e-CF) or the Skills Framework + for the Information Age (SFIA) to determine its organisational needs. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node66 + ref_id: 2.1.2.2-30 + description: Senior management should continuously review the skills, competencies + and training requirements to ensure that it has the right set of skills as + technologies and risks evolve. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node71 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2 + name: 'Board and management responsibilities:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node71 + ref_id: 2.1.2.2-31 + description: "The FMI should ensure that the Board members\u2019 and senior\ + \ managements\u2019 understanding of their roles and responsibilities with\ + \ regard to cyber resilience is regularly assessed, including their knowledge\ + \ of cyber risks." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node71 + ref_id: 2.1.2.2-32 + description: "The Board should ensure that senior management regularly conducts\ + \ a cyber resilience self-assessment5, which evaluates the FMI\u2019s cyber\ + \ maturity. The Board should review the self-assessment and take appropriate\ + \ decisions to improve the effectiveness of cyber activities and integration\ + \ with the corporate strategy across the FMI." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node71 + ref_id: 2.1.2.2-33 + description: The Board should review and approve senior management's prioritisation + and resource allocation decisions based on the results of the cyber (self-) + assessments, performance against key performance indicators (KPIs) and their + evolution against their target state of maturity, and the FMI's overall business + objectives. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node75 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2 + name: 'Culture:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node75 + ref_id: 2.1.2.2-34 + description: Senior management should establish and sustain incentives (e.g. + staff recognition awards) to ensure behaviours are consistent with the intended + cyber risk culture. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-35 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node75 + ref_id: 2.1.2.2-35 + description: "Senior management should produce a formal cyber Code of Conduct,\ + \ which can be incorporated into the FMI\u2019s enterprise Code of Conduct,\ + \ and ensure that all employees comply with it." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node75 + ref_id: 2.1.2.2-36 + description: Senior management should validate the effectiveness of its cyber + resilience training programme (e.g. social engineering or phishing tests) + and assess whether training and awareness programmes positively influence + behaviour. Based on the lessons learned from its training programme, the FMI + should improve the employee awareness programmes. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node75 + ref_id: 2.1.2.2-37 + description: Senior management should develop key performance metrics (e.g. + KPIs) and key risk metrics (e.g. key risk indicators (KRIs)) and markers (both + quantitative and qualitative) and ensure supporting data are routinely collected + at the senior management level to monitor, measure and report on the implementation, + effectiveness, consistency and persistence of cyber activities. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node80 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2 + name: 'Skills and accountability:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node80 + ref_id: 2.1.2.2-38 + description: Senior management should embed a programme for talent recruitment, + retention and succession planning for the staff, and ensure such staff are + aligned to cyber activities and deployed effectively across the FMI. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-39 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node80 + ref_id: 2.1.2.2-39 + description: Senior management should ensure that there are well-defined plans + for the succession of high-risk staff (e.g. senior management, system administrators, + software developers and critical system operators, etc.), and the recruitment + requirements for key cyber roles include suitable cyber skills, knowledge + and experience in alignment with defined succession plans. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-40 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node80 + ref_id: 2.1.2.2-40 + description: Senior management should ensure that staff performance plans are + tied to compliance with cyber resilience policies and standards in order to + hold employees accountable. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node84 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2 + name: 'Board and management responsibilities:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-41 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node84 + ref_id: 2.1.2.2-41 + description: The FMI should appoint a dedicated cyber expert to the Board. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-42 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node84 + ref_id: 2.1.2.2-42 + description: The standard Board meeting package should include reports and metrics + that cover areas such as suspicious cybersecurity events (e.g. increased network + behaviour and unusual user activity), cyber incidents and threat intelligence + trends for the ecosystem to facilitate discussions on how the FMI should respond + accordingly. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-43 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node84 + ref_id: 2.1.2.2-43 + description: The Board and senior management should proactively enhance its + strategic goals, objectives and tactical plans, as needed, to support cyber + activities and improvements across the ecosystem, making use of any available + sector-defined requirements and coordinated initiatives, and clearly communicate + this to the relevant stakeholders. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node88 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2 + name: 'Culture:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-44 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node88 + ref_id: 2.1.2.2-44 + description: Senior management should cooperate proactively with other stakeholders + to promote a cyber resilience culture across the ecosystem. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node90 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2 + name: 'Skills and accountability:' + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-45 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node90 + ref_id: 2.1.2.2-45 + description: Senior management should regularly benchmark its cyber resilience + capabilities against the market to identify its gaps in terms of governance, + skills, resources and tools, treating these gaps as cyber risks and addressing + them accordingly. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.1.2.2-46 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node90 + ref_id: 2.1.2.2-46 + description: Senior management should actively foster partnerships with industry + associations and cybersecurity practitioners to develop solutions for future + cyber resilience needs, which will be useful to the FMI and the ecosystem + as a whole. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2 + ref_id: '2.2' + name: Identification + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2 + ref_id: 2.2.1 + name: Preamble + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node95 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.1 + description: "Given that an FMI\u2019s operational failure can negatively impact\ + \ financial stability, it is crucial that FMIs identify which of their operations\ + \ and supporting information assets should, in order of priority, be protected\ + \ against compromise. The ability of an FMI to understand its internal situation\ + \ and external dependencies is key to being able to effectively respond to\ + \ potential cyber threats that might occur. This requires an FMI to know its\ + \ information assets and understand its processes, procedures, systems and\ + \ all dependencies to strengthen its overall cyber resilience posture. This\ + \ chapter outlines areas where an FMI should identify and classify business\ + \ processes and information assets as well as external dependencies." + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2 + ref_id: 2.2.2 + name: Expectations + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-1 + description: ' The FMI should identify and document all its critical functions, + key roles, processes and information assets that support those functions, + and update this information on a regular basis.' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-2 + description: The FMI should identify and document all processes that are dependent + on third-party service providers and identify its interconnections, and update + this information on a regular basis. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-3 + description: The FMI should maintain an up-to-date inventory of all the critical + functions, key roles, processes, information assets, third-party service providers + and interconnections. It should integrate identification efforts with other + relevant processes, such as acquisition and change management, in order to + facilitate a regular review of its inventory. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-4 + description: The FMI should have an enterprise risk management framework to + identify risks and conduct risk assessments on a regular basis and of all + the critical functions, key roles, processes, information assets, third-party + service providers and interconnections to determine, classify and document + their level of criticality. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-5 + description: The FMI should create and maintain a simplified network map of + network resources with an associated plan addressing IPs which locate routing + and security devices and servers supporting the FMI's critical functions, + and which identify links with the outside world. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-6 + description: The FMI should conduct risk assessments before deploying new and/or + updated technologies, products, services and connections to identify potential + threats and vulnerabilities. It should also update its risk assessment in + case new information affecting cybersecurity risks is identified (e.g. a new + threat, vulnerability, adverse test result, hardware change, software change + or configuration change). The results of the risk assessments should feed + into the cyber resilience strategy and framework. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-7 + description: The FMI should have and maintain a fully comprehensive inventory + of all individual and system accounts (especially including privileged and + remote access accounts) so that they can be aware of the access rights to + information assets and their supporting systems. The FMI should review and + update this inventory on a regular basis. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-8 + description: The FMI should use automated tools (e.g. a centralised asset inventory + management (AIM) tool) that enable it to support the identification and classification + of the critical functions, processes, information assets and interconnections. + The FMI should ensure that the inventory is updated accurately and that these + changes are shared with the relevant staff in in a timely manner. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-9 + description: The FMI should use automated tools (e.g. a centralised identity + and access management (IAM) tool) that enable it to support the identification + and classification process of roles, user profiles and individual and system + credentials, and ensure that these are updated accurately and that relevant + staff are informed of the changes in a timely manner. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-10 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-10 + description: The FMI should also maintain up-to-date and complete maps of network + resources, interconnections and dependencies, and data flows with other information + assets, including the connections to business partners, internet-facing services, + cloud services and any other third-party systems. It should use these maps + to undertake risk assessments of key dependencies and apply appropriate risk + controls, when necessary. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-11 + description: The FMI should update its inventory to address new, relocated, + repurposed and sunset information assets, on a regular basis or when these + changes occur. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-12 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-12 + description: "The FMI should use automated feeds from above (e.g. from AIM and\ + \ IAM tools), in order to identify emerging risks, update its risk assessments\ + \ in a timely manner and take the necessary mitigating actions in line with\ + \ the FMI\u2019s risk tolerance." + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2-13 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.2.2 + ref_id: 2.2.2-13 + description: "The FMI should identify the cyber risks that it bears from or\ + \ poses to entities in its ecosystem and coordinate with relevant entities,\ + \ as appropriate. This may involve identifying common vulnerabilities and\ + \ threats, and taking appropriate measures collectively to address such risks,\ + \ with the objective of improving the ecosystem\u2019s overall resilience." + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2 + ref_id: '2.3' + name: Protection + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3 + ref_id: 2.3.1 + name: Preamble + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node112 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.1 + description: "Cyber resilience depends on effective security controls and system\ + \ and process design that protect the confidentiality, integrity and availability\ + \ of an FMI\u2019s assets and services. These measures should be proportionate\ + \ to an FMI\u2019s threat landscape and systemic role in the financial system,\ + \ and consistent with its risk tolerance. This chapter provides guidance on\ + \ how FMIs should implement appropriate and effective measures in line with\ + \ leading cyber resilience and cybersecurity practices to prevent, limit or\ + \ contain the impact of a potential cyber event." + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3 + ref_id: 2.3.2 + name: Expectations + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2 + ref_id: 2.3.2.1 + name: Protection of processes and assets + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node115 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1 + name: Control implementation and design + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-1 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node115 + ref_id: 2.3.2.1-1 + description: 'The FMI should implement a comprehensive and appropriate set of + security controls that will allow it to achieve the security objectives needed + to meet its business requirements. The FMI should implement these controls + based on the identification of its critical functions, key roles, processes, + information assets, third-party service providers and interconnections, as + per the risk assessment in the identification phase. The security objectives + may include ensuring:' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-1.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-1 + ref_id: 2.3.2.1-1.a + description: the continuity and availability of its information systems; + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-1.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-1 + ref_id: 2.3.2.1-1.b + description: the integrity of the information stored in its information systems, + while both in use and transit; + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-1.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-1 + ref_id: 2.3.2.1-1.c + description: the protection, integrity, confidentiality and availability of + data while at rest, in use and in transit; + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-1.d + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-1 + ref_id: 2.3.2.1-1.d + description: conformity to applicable laws, regulation and standards. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-2 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node115 + ref_id: 2.3.2.1-2 + description: The FMI should develop its security controls in order to address + cybersecurity and related physical security and people security. The controls + should be designed according to the threat landscape, prioritised in accordance + with the risks facing the FMI (risk-based security controls) and aligned to + its business objectives. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-3 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node115 + ref_id: 2.3.2.1-3 + description: The FMI should assess the effectiveness of its security controls + regularly in order to adapt them to its evolving threat landscape. They should + be monitored and audited regularly to ensure that they remain effective and + have been applied to all assets where they might be needed. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-4 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node115 + ref_id: 2.3.2.1-4 + description: When designing, developing and acquiring its systems and processes, + the FMI should capture security requirements alongside system and process + requirements in order to identify the security controls necessary for protecting + its systems, processes and data, at the earliest possible stage. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-5 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node115 + ref_id: 2.3.2.1-5 + description: The FMI should apply a defence-in-depth strategy in line with a + risk-based approach, i.e. it should implement multiple independent security + controls so that if one control fails or a vulnerability is exploited, alternative + controls will be able to protect targeted assets and/or processes. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-6 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node115 + ref_id: 2.3.2.1-6 + description: The FMI should develop and implement a bespoke information security + management system (ISMS), which could be based on a combination of well-recognised + international standards (e.g. ISO 27001, ISO 20000-1 and ISO 27103, etc.), + in order to establish, implement, operate, continuously monitor, review, maintain + and improve a comprehensive cybersecurity control framework. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-7 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node115 + ref_id: 2.3.2.1-7 + description: The FMI should consider cyber resilience at the earliest stage + of system design, development and acquisition, as well as throughout the system + development life cycle, so that vulnerabilities in software and hardware are + minimised and security controls are incorporated into systems and processes + from their inception. It should adopt a bespoke system development life cycle + (SDLC) methodology that embeds the resilience-by-design approach when designing, + building, acquiring or modifying its systems, processes and products. At each + stage of the SDLC, the FMI should manage its cyber risk and integrate resilience + based on risk analysis results. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-8 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node115 + ref_id: 2.3.2.1-8 + description: The FMI should frequently review its ISMS, using certification, + audits or other relevant forms of assurance. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-9 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node115 + ref_id: 2.3.2.1-9 + description: The FMI should develop processes and procedures and explore potential + technologies to constantly adjust and refine its security countermeasures + (controls). This will help it to ensure it is protected against known and + emerging threats, based on knowledge and best practices obtained from other + FMIs across the ecosystem and through the use of threat intelligence. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1 + name: Network and infrastructure management + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-10 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-10 + description: The FMI should establish a secure boundary that protects its network + infrastructure (using tools such as a router, firewall, intrusion prevention + system (IPS) or intrusion detection system (IDS), virtual private network + (VPN), demilitarised zone (DMZ) or proxies etc.). The boundary should identify + trusted and untrusted zones according to the risk profile and criticality + of information assets contained within each zone, and appropriate access requirements + should be implemented within and between each security zone according to the + principle of least privilege. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-11 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-11 + description: The FMI should seek to use a separate and dedicated network for + information system administration. At a minimum, the FMI should prohibit direct + internet access from devices or servers used for information system administration + whenever possible. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-12 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-12 + description: "The FMI should establish a baseline system and security configurations\ + \ for information systems and system components, including devices used for\ + \ accessing the FMI network remotely, to help the configuration to and security\ + \ reinforcement of those systems and components to be applied consistently.\ + \ These baselines should be documented, formally reviewed and regularly updated\ + \ to adapt them to the FMI\u2019s evolving threat landscape." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-13 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-13 + description: The FMI should reinforce its network infrastructure and information + systems using recognised industry security standards. Changes to system configurations + should be strictly controlled and monitored and programmes that can alter + or override system configuration should be restricted. This should also be + applicable to devices and environments used for accessing the FMI network + remotely. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-14 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-14 + description: The FMI should seek to use secure network protocols (e.g. Secure + Shell and protocols relying on transport layer security (TLS) or equivalent), + when appropriate, in order to guarantee the confidentiality and integrity + of information exchanged within its network and beyond, including remote connections. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-15 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-15 + description: The FMI should define and implement procedures that limit, lock + and terminate system and remote sessions after a predefined period of inactivity + and predefined conditions are met. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-16 + description: The FMI should deploy a broad range of technologies and tools to + detect and block actual and attempted attacks or intrusions. The FMI may use + intrusion detection or prevention systems, end point security solutions (e.g. + antivirus, a firewall, or a host intrusion detection system (HIDS) or host + intrusion prevention system (HIPS)) or any other relevant solutions (e.g. + an access gateway or a jump box), in particular on devices and in environments + used for accessing the FMI network remotely. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-17 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-17 + description: "The FMI should implement controls that manage or prevent non-controlled\ + \ devices to connect to its internal network from inside or outside the premises\ + \ to ensure that activities in these zones are logged and monitored for inappropriate\ + \ use or attempts to access business systems. The FMI\u2019s infrastructure\ + \ should be scanned regularly to detect rogue devices and access points." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-18 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-18 + description: The FMI should scan its legacy technologies regularly to identify + potential vulnerabilities and seek upgrade opportunities. Controls and additional + defence layers should be implemented and tested in order to protect unsupported + or vulnerable systems. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-19 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-19 + description: The FMI should have policies and controls that prevent users from + installing unauthorised applications. Procedures should be in place to manage + the installation of applications. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-20 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-20 + description: The FMI should implement a defence-in-depth security architecture, + based on the network and data flow diagrams that identify hardware, software + and network components, internal and external connections, and type of information + exchanged between systems. As required in the identification phase, the FMI + should maintain current and complete network and data flow diagrams. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-21 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-21 + description: The FMI should segment its network infrastructure with security + policies appropriate to its use and commensurate to its risk score, which + define proper access policy to systems and applications. Sensitive traffic + between systems and zones should be segregated using network management. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-22 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-22 + description: "The FMI\u2019s IT environments and functions should be adequately\ + \ separated with different security levels and controls implemented." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-23 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-23 + description: The FMI should implement technical measures to prevent the execution + of unauthorised code on institution-owned or managed devices, network infrastructure + and system components. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-24 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-24 + description: The FMI should consider implementing technical measures (e.g. network + access control (NAC) solutions) in order to prevent unauthorised devices from + being connecting successfully. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-25 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-25 + description: The FMI should employ automated mechanisms to help maintain an + up-to-date, complete, accurate and readily available baseline of system and + security configurations for the information system and system components. + These mechanisms might include hardware and software inventory tools, configuration + management tools and network management tools. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-26 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-26 + description: The FMI should implement automated mechanisms that can isolate + affected information assets in the case of an adverse event. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-27 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node129 + ref_id: 2.3.2.1-27 + description: In the context of a defence-in-depth strategy, the FMI should seek + to implement cyber deception capabilities and techniques that enable it to + lure the attacker and trap it in a controlled environment where all activities + can be contained and analysed, allowing the FMI to gain vital threat intelligence + that will help to improve its protection controls. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1 + name: Logical and physical security management + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-28 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-28 + description: The FMI should identify and restrict physical and logical access + to its system resources to the minimum required for legitimate and approved + work activities, according to the principle of least privilege. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-29 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-29 + description: The FMI should establish policies, procedures and controls that + address access privileges and how that access should be administered. The + information system access should be evaluated regularly to identify unneeded + access or privileges. Physical, logical and/or remote access to critical systems + should be restricted and logged and unauthorised access should be blocked. + Administration rights on systems should be strictly limited to operational + needs. Procedures should be in place for a periodic review of all access rights. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-30 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-30 + description: The FMI should establish and administer user accounts in accordance + with a role-based access control (RBAC) scheme that organises allowed information + system access rights and privileges into roles. Role assignments should be + reviewed regularly by appropriate staff (e.g. management and system owners, + etc.) in order to take appropriate action when privileged role assignments + are no longer appropriate. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-31 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-31 + description: The FMI should establish processes to manage the creation, modification + or deletion of user access rights. Such actions should be submitted to and + approved by appropriate staff, and should be recorded for review if necessary. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-32 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-32 + description: 'The FMI should implement specific procedures to allocate privileged + access on a need-to-use or an event-by-event basis. Administrators should + have two types of accounts: one for general purpose and one to carry out their + administrative tasks. The use of privileged accounts should be tightly monitored + and controlled. The use of generic accounts for administration purpose should + be strictly limited and traced. Whenever possible, user and administrator + accounts should be nominative and clearly identifiable (e.g. using dedicated + taxonomy for usernames, which ensures that the positions and roles are not + apparent).' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-33 + description: The FMI should have a dedicated policy that covers all the characteristics + of its authentication mechanisms (e.g. password, smart cards and biometrics, + etc.) and is in line with relevant standards (e.g. NIST-800-63). Default authentication + settings (e.g. passwords and unnecessary default accounts) should be deactivated, + changed or removed before systems, software and/or services go live. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-34 + description: The FMI should develop appropriate controls (e.g. encryption, authentication + and access control) to protect data at rest, in use and in transit. The controls + should be commensurate to the criticality and the sensitivity of the data + held, used or being transmitted, as per the risk assessment conducted in the + identification phase. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-35 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-35 + description: The FMI should have dedicated controls to prevent unauthorised + access to cryptographic keys. Dedicated policy and procedures should be defined + for the management of and access to cryptographic materials. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-36 + description: The FMI should implement controls to prevent unauthorised privileged + escalation (e.g. technical controls that trigger automated notification to + appropriate staff in the case of changes to user access profiles). + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-37 + description: The FMI should encrypt data as a result of its data classification + and risk assessment processes. The FMI should also use encryption and general + cryptographic controls in line with recognised standards and processes, which + cover aspects such as algorithm, key length and key generation, etc. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-38 + description: The FMI should implement automated mechanisms to support the management + of information system access accounts. This might include implementing security + controls embedded in the information system, allowing it to automatically + disable and/or remove inactive, temporary and emergency accounts after a predefined + period of time. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-39 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-39 + description: The FMI should establish strong governance on identity and access + management enforced by the use of dedicated tools such as Identity and Access + Management (IAM), in an integrated way, ensuring all systems update each other + consistently. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-40 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-40 + description: The FMI should seek to use an attribute-based access control (ABAC) + paradigm that allows it to manage access to its IT environment contextually + and dynamically. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-41 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node148 + ref_id: 2.3.2.1-41 + description: The FMI should employ automated mechanisms that allow account creation, + modification, enabling, disabling and removal actions to be monitored and + audited continuously, in order to notify appropriate staff when potential + malicious behaviour or damage is detected. The FMI should implement adaptive + access controls to prevent potential malicious behaviour or damage. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1 + name: Change and patch management + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-42 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-42 + description: 'The FMI should have policies, procedures and controls in place + for change management, which should include criteria for prioritising and + classifying the changes (e.g. normal vs. emergency change). Prior to any change, + the FMI should ensure that the change request is:' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-42.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-42 + ref_id: 2.3.2.1-42.a + description: reviewed to ensure that it meets FMI business needs; + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-42.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-42 + ref_id: 2.3.2.1-42.b + description: "categorised and assessed for identifying potential risks and to\ + \ ensure that it will not negatively impact confidentiality, integrity and\ + \ availability, as well as the FMI\u2019s systems and data;" + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-42.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-42 + ref_id: 2.3.2.1-42.c + description: approved before it is implemented by the appropriate level of management. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-43 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-43 + description: The FMI should ensure that the cybersecurity team is involved throughout + the life cycle of the change management process, as appropriate. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-44 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-44 + description: The FMI should put necessary procedures in place (e.g. code review + and unit testing, etc.), guaranteeing that changes are implemented correctly + and efficiently. The FMI should employ best practices when implementing changes. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-45 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-45 + description: The FMI should test, validate and document changes to the information + system before implementing them into production (this might include integration + tests, non-regression tests and user acceptance tests, etc.). The changes + to information systems include, but are not limited to, modifying hardware, + software or firmware components and system and security configuration settings. + The FMI should ensure that processes are in place to schedule change implementation + and communicate to those impacted prior to implementation, including consulting + them when necessary. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-46 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-46 + description: The FMI should have processes to identify, assess and approve genuine + emergency changes. Post-implementation reviews should be conducted to validate + that emergency procedures were appropriately followed and to determine the + impact of the emergency change. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-47 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-47 + description: 'The FMI should have a comprehensive patch management policy and + processes that include: maintaining current knowledge of available patches; + identifying appropriate patches for particular systems and analysing impacts + if installed; assuring that patches are installed properly (e.g. by applying + the four-eyes principle) and tested prior to and monitored after installation; + and documenting all associated procedures, such as specific configurations + required. The policies, procedures and controls must make use of the information + AIM process described in the identification phase that provides information + on the installed programs and binaries.' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-48 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-48 + description: The FMI should consider using standardised configuration of IT + resources to facilitate its patch management process. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-49 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-49 + description: The FMI should ensure that the installations of new patches have + prior approval from the appropriate level of management. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-50 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-50 + description: The FMI should have in place necessary procedures for recovering + quickly when changes or patches fail. Any changes to the production environment + must have an associated fall-back plan, when applicable. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-51 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-51 + description: The FMI should have policies and procedures to prohibit changes + and patch installation to the information system that have not been pre-approved. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-52 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-52 + description: The FMI should establish its change management process based on + well-established and industry-recognised standards and best practices (e.g. + the information technology infrastructure library). + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-53 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-53 + description: The FMI should consider automating its patch management process + when possible to guarantee that all its systems remain consistently up to + date. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-54 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-54 + description: The FMI should consider building a segregated or separate environment + that mirrors the production environment, allowing rapid testing and changes + and patches to be implemented, and providing for rapid fall-back when needed. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.1-55 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node163 + ref_id: 2.3.2.1-55 + description: The FMI should implement automated mechanisms to prohibit changes + and patches from being installed on the information system that have not been + pre-approved. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2 + ref_id: 2.3.2.2 + name: People management + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node182 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2 + name: Human resources security + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-56 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node182 + ref_id: 2.3.2.2-56 + description: The FMI should embed cybersecurity at each stage of the employment + life cycle, specifying security-related actions required during the induction + of each employee and their ongoing management, and upon the termination of + their employment. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-56.a + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-56 + ref_id: 2.3.2.2-56.a + description: Prior to employment, the FMI should carry out background security + checks on all candidates (employees and/or contractors) commensurate to their + future role and depending on the criticality of the assets and information + they might have access to in order to fulfil their duty. Responsibilities + for cybersecurity should be clearly stated in the contractual agreement. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-56.b + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-56 + ref_id: 2.3.2.2-56.b + description: During employment, the FMI should ensure that employees and contractors + comply with established policies, procedures and controls. When an employee + is changing responsibilities, the FMI should ensure that all access rights + that are related to his/her previous position and are not necessary for his/her + new responsibilities are revoked in due time. Employees in sensitive positions + (e.g. those who change to roles requiring privileged access to critical systems + or who become high-risk staff) should be pre-screened. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-56.c + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-56 + ref_id: 2.3.2.2-56.c + description: "The FMI should establish procedures to revoke all departing employees\u2019\ + \ access rights from the information assets in a timely manner. Upon termination\ + \ of employment, staff should be required to return all assets that belong\ + \ to the FMI, including important documentation (e.g. related to business\ + \ processes, technical procedures and contact details), equipment, software\ + \ and authentication hardware, etc." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-57 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node182 + ref_id: 2.3.2.2-57 + description: The FMI should establish policies, procedures and controls for + granting or revoking employees physical and logical access to its systems + based on job responsibilities, principles of least privilege and segregation + of duties. Procedures for regularly reviewing such access should be in place. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-58 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node182 + ref_id: 2.3.2.2-58 + description: "The FMI should establish capabilities, including people, processes\ + \ and technologies to monitor privileged users\u2019 activity and access to\ + \ critical systems in order to identify and deter anomalous behaviour and\ + \ notify appropriate staff." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-59 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node182 + ref_id: 2.3.2.2-59 + description: The FMI should implement mechanisms that trigger automatic notifications + to be sent to staff in charge of granting or revoking access to the information + system upon change to employment status. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-60 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node182 + ref_id: 2.3.2.2-60 + description: The FMI should implement automatic mechanisms to grant or revoke + staff access to its information system upon change to employment status. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-61 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node182 + ref_id: 2.3.2.2-61 + description: The FMI should monitor and analyse pattern behaviour (e.g. network + use patterns, work hours and known devices, etc.) to identify anomalous activities + and evaluate the implementation of innovative solutions (e.g. data analytics, + machine learning and artificial intelligence, etc.) to support detection and + response to insider threat activity in real time. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node192 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2 + name: Security awareness and training + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-62 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node192 + ref_id: 2.3.2.2-62 + description: "The FMI should ensure that its employees have a good understanding\ + \ of the cyber risk they might face when conducting their jobs and that they\ + \ understand their roles and responsibilities in protecting the FMI\u2019\ + s assets." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-63 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node192 + ref_id: 2.3.2.2-63 + description: On a regular basis, at least once a year, the FMI should provide + its entire staff (employees and/or contractors) with training to support cybersecurity + policy compliance and the incident reporting process. This training should + include elements aimed at maintaining appropriate awareness of cyber-related + risks and good practices for dealing with potential cyber incidents, including + how to report unusual activity. Cybersecurity awareness training should be + part of the onboarding programme for new staff. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-64 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node192 + ref_id: 2.3.2.2-64 + description: The FMI should ensure that high-risk staff receive dedicated security + awareness training that is relevant to their responsibilities. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-65 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node192 + ref_id: 2.3.2.2-65 + description: Prior to going into service operations, staff operating new systems + should receive appropriate user training and be familiar with the operating + procedures. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-66 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node192 + ref_id: 2.3.2.2-66 + description: The FMI should validate the effectiveness of its training (e.g. + social engineering or phishing tests), assess whether the training and awareness + positively influence behaviour and ensure that staff comply with the cybersecurity + policy and incident reporting process. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-67 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node192 + ref_id: 2.3.2.2-67 + description: "The FMI\u2019s senior management should ensure its cultural awareness\ + \ of cyber risk improves continuously across the organisation and its ecosystem.\ + \ Training programmes should be updated regularly to take the evolving threat\ + \ landscape of the ecosystem into account." + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node199 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2 + name: Supplier and third-party security management + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-68 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node199 + ref_id: 2.3.2.2-68 + description: The FMI should maintain and regularly update an inventory of its + participants and third-party service providers, and ensure that its cyber + resilience framework addresses its interconnections with the aforementioned + entities from a cyber risk perspective. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-69 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node199 + ref_id: 2.3.2.2-69 + description: "The FMI\u2019s third-party risk assessment should be carried out\ + \ regularly, taking into account the evolution of its threat landscape. The\ + \ FMI should, using a risk-based approach, ensure that the provision of outsourced\ + \ services are accorded the appropriate level of cyber resilience." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-70 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node199 + ref_id: 2.3.2.2-70 + description: "The FMI should assess the third-party service provider\u2019s\ + \ security capabilities at least through third-party self-assessment (e.g.\ + \ self-assessment against Annex F7). Provision of settlement services to ancillary\ + \ systems by overseen entities is not considered to be third-party service\ + \ provision." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-71 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node199 + ref_id: 2.3.2.2-71 + description: The FMI should design security controls that detect and prevent + intrusions from third-party connections. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-72 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node199 + ref_id: 2.3.2.2-72 + description: The FMI should ensure that there are appropriate procedures in + place to isolate or block its third-party connections (in a timely manner) + if there is a cyber attack and/or a risk of contagion. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-73 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node199 + ref_id: 2.3.2.2-73 + description: "The independent audit function should validate the FMI\u2019s\ + \ third-party relationship management and outsourcing." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-74 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node199 + ref_id: 2.3.2.2-74 + description: "The FMI should obtain assurance of the third-party service provider\u2019\ + s cyber resilience capabilities, and may use tools such as certification,\ + \ external audits (e.g. ISAE 3402), summaries of test reports, service level\ + \ agreements (SLAs) and KPIs, etc." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.3.2.2-75 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node199 + ref_id: 2.3.2.2-75 + description: The FMI should work closely with its third-party service providers + and other FMIs in the ecosystem to maintain and improve the security of interconnections + and end point security. For example, the FMI could conduct response and recovery + tests with its third-party service providers and other FMIs. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2 + ref_id: '2.4' + name: Detection + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4 + ref_id: 2.4.1 + name: Preamble + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node210 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.1 + description: "An FMI\u2019s ability to recognise signs of a potential cyber\ + \ incident, or detect that an actual breach has taken place, is essential\ + \ to strong cyber resilience. Early detection provides an FMI with useful\ + \ lead time to mount appropriate countermeasures against a potential breach,\ + \ and allows proactive containment of actual breaches. In the latter case,\ + \ early containment could effectively mitigate the impact of the attack \u2013\ + \ for example, by preventing an intruder from gaining access to confidential\ + \ data or exfiltration of such data. Given the stealthy and sophisticated\ + \ nature of cyber attacks and the multiple entry points through which a compromise\ + \ could take place, an FMI should maintain effective capabilities to extensively\ + \ monitor for anomalous activities. This chapter outlines monitoring and process-related\ + \ guidance aimed at helping FMIs detect cyber incidents." + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4 + ref_id: 2.4.2 + name: Expectations + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-1 + description: Based on the risk assessment performed in the identification phase, + the FMI should define, consider and document the baseline profile of system + activities to help detect deviation from the baseline (e.g. anomalous activities + and events). + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-2 + description: The FMI should develop the appropriate capabilities, including + the people, processes and technology, to monitor and detect anomalous activities + and events, by setting appropriate criteria, parameters and triggers to enable + alerts. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-3 + description: The FMI should have capabilities in place to monitor user activity, + exceptions and cybersecurity events. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-4 + description: The FMI should have capabilities in place to monitor connections, + external service providers, devices and software. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-5 + description: The FMI should analyse the information collected and use it to + further enhance its detection and monitoring capabilities and incident response + process. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-6 + description: The FMI should ensure that its detection capabilities, baseline + profile of system activities and the criteria, parameters and triggers are + periodically reviewed, tested and updated appropriately, in a controlled and + authorised manner. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-7 + description: The FMI should ensure that its relevant staff (employees and/or + contractors) are trained to be able to identify and report anomalous activity + and events. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-8 + description: The FMI should build multilayered detection controls covering people, + processes and technology which support attack detection and isolation of infected + points. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-9 + description: The FMI should ensure that its detection capabilities are informed + by threat or vulnerability information, which can be collected from different + sources and providers, as set out in the chapter on situational awareness. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-10 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-10 + description: The FMI should define alert thresholds for its monitoring and detection + systems in order to trigger and facilitate the incident response process. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-11 + description: The FMI's monitoring and detection capabilities should support + information collection for the forensic investigation. To facilitate forensic + investigation, the FMI should ensure that its logs are backed up at a secure + location with controls in place to mitigate the risk of alteration. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-12 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-12 + description: The FMI should develop and implement automated mechanisms (e.g. + a security information and event management (SIEM) system), which correlates + all the network and system alerts and any other anomalous activity across + its business units in order to detect multifaceted attacks (e.g. simultaneous + account takeover or a distributed denial of service (DDoS) attack). + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-13 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-13 + description: The FMI should have a process to collect, centralise and correlate + event information from multiple sources and log analysis to continuously monitor + the IT environment (e.g. databases, servers and end points, etc.) and detect + anomalous activities and events. This should include information on anomalous + activity and other network and system alerts across business units. This capability + could be achieved through a security operations centre (SOC) or equivalent. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-14 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-14 + description: The FMI should have processes in place to monitor activities that + are not in line with its security policy and might lead to data theft, integrity + compromise or destruction. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-15 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-15 + description: The FMI's monitoring and detection capabilities should allow the + appropriate staff who can respond to be alerted automatically. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-16 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-16 + description: The FMI should have the capabilities, in collaboration with other + stakeholders, to detect cyber events and adapt its security controls swiftly. + Such events may include attempted infiltration, movement of an attacker across + systems, exploitation of vulnerabilities, unlawful access to systems and exfiltration + of information or data + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-17 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-17 + description: "The FMI should continuously monitor connections among information\ + \ assets and cyber risk levels throughout the information assets\u2019 life\ + \ cycles, and store and analyse these data. The information gathered this\ + \ way should enable the FMI to support timely responses to cyber threats (including\ + \ insider threats) or vulnerabilities and investigation of anomalous activities." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-18 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-18 + description: The FMI should continuously monitor and inspect the network traffic, + including remote connections, and end point configuration and activity to + identify potential vulnerabilities or anomalous events in a timely manner. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-19 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-19 + description: The FMI should compare the network traffic and the end point configuration + with the expected traffic and configuration baseline profile and data flows. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-20 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-20 + description: The FMI should use multiple external sources of intelligence, correlated + log analysis, alerts, traffic flows, and geopolitical events to predict potential + future attacks and attack trends, and proactively take the appropriate measures + to improve its cyber resilience capabilities. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-21 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-21 + description: The FMI should develop threat detection capabilities which can + detect both known and unknown threats, with a proactive identification of + vulnerabilities, state-of-the art threat detection and correlation between + vulnerabilities and threats. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2-22 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.4.2 + ref_id: 2.4.2-22 + description: The FMI should seek to continuously explore new technologies and + techniques inhibiting lateral movement (e.g. deception mechanisms) which trigger + alerts and inform the FMI of potential malicious activity when accessed. For + example, the FMI could create and place fictitious sensitive data with alerting + tags attached to them. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2 + ref_id: '2.5' + name: Response and recovery + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5 + ref_id: 2.5.1 + name: Preamble + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node236 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.1 + description: "Financial stability may depend on an FMI\u2019s ability to settle\ + \ obligations when they are due. Therefore, an FMI\u2019s arrangements should\ + \ be designed to enable it to resume critical operations rapidly, safely and\ + \ with accurate data in order to mitigate the potentially systemic risks of\ + \ failure to meet such obligations when participants are expecting it to meet\ + \ them. Continuity planning is essential for meeting related objectives. This\ + \ chapter provides guidance on an FMI\u2019s capabilities to respond to and\ + \ recover from cyber attacks." + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5 + ref_id: 2.5.2 + name: Expectations + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2 + ref_id: 2.5.2.1 + name: Cyber resilience incident management + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-1 + description: "The FMI should \u2013 based on the identification of its critical\ + \ functions, key roles, processes, information assets, third-party service\ + \ providers and interconnections \u2013 plan for how to operate in a diminished\ + \ capacity or how to safely restore services over time, based on services'\ + \ relative priorities, and with accurate data. In order to make the best decisions\ + \ about its recovery objectives following a cyber incident, the FMI must first\ + \ define its recovery point objectives (RPOs) and its recovery time objectives\ + \ (RTOs), commensurate to its business needs and systemic role in the ecosystem." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-2 + description: Based on Expectation 1 above, the FMI should consider a range of + different cyber scenarios, including extreme but plausible ones to which they + may be exposed, and conduct business impact analyses to assess the potential + impact such scenarios might have on the FMI. The FMI should review its range + of scenarios and conduct the business impact analysis in line with the evolving + threat landscape, on a regular basis. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-3 + description: The FMI should, based on the different cyber scenarios, develop + a contingency plan that achieves recovery objectives, restoration priorities + and determines the required capacities for continuous availability of the + system. The plan should define roles and responsibilities, and set out options + to reroute or substitute critical functions and/or services that may be affected + for a significant period by a successful cyber attack. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-4 + description: The FMI should develop comprehensive cyber incident response, resumption + and recovery plans, to manage cybersecurity events or incidents in a way that + limits damage and prioritises resumption and recovery actions in order to + facilitate the processing of critical transactions, increases the confidence + of external stakeholders, and reduces recovery time and costs. Such plans + should define policies and procedures, as well as roles and responsibilities + for escalating, responding to, and recovering from cybersecurity incidents. + The FMI should ensure all relevant business units (including communications) + are integrated into the plans. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-5 + description: "The FMI\u2019s cyber incident response, resumption and recovery\ + \ processes should be closely integrated with crisis management, business\ + \ continuity, and disaster recovery planning and recovery operations." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-6 + description: The FMI should ensure that its incident response team has the requisite + skills and training to address cyber incidents. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-7 + description: The FMI should define alert parameters and thresholds for detecting + cybersecurity incidents, which trigger the incident management processes and + procedures, which in turn include alerting and conveying information to the + appropriate staff. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-8 + description: The FMI should regularly test its cyber contingency, response, + resumption and recovery plans against a range of different plausible scenarios. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-9 + description: The FMI should have processes and procedures in place for collating + and reviewing information from its cybersecurity incidents and testing results + in order to continuously improve its contingency, response, resumption and + recovery plans. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-10 + description: The FMI should have processes and procedures in place to conduct + an ex post root cause analysis of its cybersecurity incidents. The FMI should + integrate its findings from the root cause analysis into its cyber response, + resumption and recovery plans, as set out in Expectation 4 above. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-11 + description: The FMI should design and test its systems and processes to enable + critical operations to be resumed safely within two hours of a cyber disruption + and to enable it to complete settlement by the end of the day of the disruption, + even in the case of extreme but plausible scenarios. Notwithstanding this + capability to resume critical operations within two hours, FMIs should undertake + careful problem analysis and exercise judgement (in agreement with competent + authorities and relevant stakeholders) when resuming operations so that risks + to the FMI or its ecosystem do not escalate as a result, while taking into + account the fact that completion of settlement by the end of day is crucial. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-12 + description: "The FMI should plan for scenarios in which resumption within two\ + \ hours cannot be achieved. The FMI should analyse critical functions, transactions\ + \ and interdependencies to prioritise resumption and recovery actions, which\ + \ may, depending on the design of the FMI, help critical transactions to be\ + \ processed, for example, while remediation efforts continue. The FMI should\ + \ also plan for situations in which critical people, processes or systems\ + \ may be unavailable for significant periods \u2013 for example, by potentially\ + \ reverting (where feasible, safe and practicable) to manual processing if\ + \ automated systems are unavailable." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-13 + description: The FMI should implement an effective incident handling capability + for cybersecurity incidents that includes preparation, detection and analysis, + containment, eradication and recovery. Such capability should allow the FMI + to perform, at an early stage, analysis of cybersecurity incidents upon their + detection, with minimal service disruption. This capability might include + direct cooperative or contractual agreements with incident response organisations + or providers to assist rapidly with mitigation effort. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-14 + description: The FMI should define and develop functional and security dependency + maps of identified information assets supporting critical functions to understand + and prioritise the order in which they should be restored. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-15 + description: The FMI should be able to use lessons learned from real-life cyber + attacks on the institution and its ecosystem to improve its contingency, response, + resumption and recovery plans. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-16 + description: The FMI should consult with relevant external stakeholders (e.g. + main participants, service providers and other FMIs) within the ecosystem + to further enhance its contingency, response, resumption and recovery plans. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-17 + description: The FMI should continuously monitor, evaluate and consider technological + developments and solutions in the market that may enhance its contingency, + response, resumption and recovery capabilities. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-18 + description: The FMI should implement processes to continuously improve its + cyber response, resumption and recovery plans, taking into account cyber threat + intelligence feeds, information sharing with its ecosystem and lessons learned + from previous events. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-19 + description: The FMI should consult, collaborate and coordinate with relevant + external stakeholders (e.g. main participants, service providers and other + FMIs) within the ecosystem to develop common contingency, response, resumption + and recovery plans for cyber scenarios which may impact the ecosystem as a + whole. The FMI should conduct regular scenario tests (e.g. industry-wide and + FMI-specific simulation exercises) with the relevant external stakeholders. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-20 + description: The FMI should implement a computer security incident response + team (CSIRT), whether in-house or outsourced, that is responsible for responding + to security incidents and intrusions, and coordinating activities among the + relevant internal and external stakeholders. Such a team should have the authority + to direct the FMI to make the changes necessary to recover from the incident. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.1 + ref_id: 2.5.2.1-21 + description: The FMI should establish and implement processes to manage cybersecurity + incidents and enable automated responses, triggered by predefined criteria, + parameters and thresholds. For example, the FMI could develop configurable + capability to isolate or disable automatically affected information systems + if cyber attacks or security violations are detected. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2 + ref_id: 2.5.2.2 + name: Data integrity + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-22 + description: The FMI should develop a formal backup policy specifying the minimum + frequency and scope of data, based on data sensitivity and the frequency with + which that new information is introduced. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-23 + description: The FMI should develop backup and recovery methods and strategies + to be able to restore system operations with minimum downtime and limited + disruption + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-24 + description: The FMI should regularly back up all data necessary to replay participants' + transactions. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-25 + description: Backups should be protected at rest and in transit to ensure the + confidentiality, integrity and availability of data. Backups should be tested + regularly to verify their availability and integrity. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-26 + description: The FMI should store backup copies at an alternate site with a + different risk profile to the main site, and with transfer rates consistent + with actual RPOs. The alternate site and backups should be safeguarded by + stringent protective and detective controls. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-27 + description: The FMI's information systems should implement transaction recovery + mechanisms for transaction-based systems, which might include transaction + rollback and logging. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-28 + description: "The FMI should conduct frequent periodic reconciliation of participants\u2019\ + \ positions, with the assistance of participants where needed." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-29 + description: The FMI should develop capabilities to restore information system + components within the actual RTOs using a predefined and standardised configuration + of IT resources, the integrity of which is protected. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-30 + description: The FMI's backup and recovery methods and strategies should be + integrated into the FMI's system infrastructure at the development and/or + acquisition phase. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-31 + description: The FMI should back up its information system by maintaining a + redundant secondary system that is not located in the same place as the primary + system and that can be activated without information being lost or operations + disrupted. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.2 + ref_id: 2.5.2.2-32 + description: The FMI should consider having a data-sharing agreement with third + parties and/or participants in order to obtain uncorrupted data from them + for recovering its business operations in a timely manner and with accurate + data. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2 + ref_id: 2.5.2.3 + name: Communication and collaboration + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node273 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3 + name: Contagion + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-33 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node273 + ref_id: 2.5.2.3-33 + description: The FMI should identify, document and regularly review systems + and processes supporting its critical functions and/or operations that are + dependent on external connectivity. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-34 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node273 + ref_id: 2.5.2.3-34 + description: The FMI should develop policies and procedures that define how + it should work together with relevant interconnected entities to enable operations + to be resumed (the first priority being its critical functions and services) + as soon as it is safe and practicable to do so. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-35 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node273 + ref_id: 2.5.2.3-35 + description: The FMI should closely cooperate with its interconnected entities + within the ecosystem, establishing rollback processes in order to restore + all its services accurately and safely. Moreover, the FMI should test the + effectiveness of these procedures regularly. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-36 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node273 + ref_id: 2.5.2.3-36 + description: The FMI should design its network connection infrastructure in + a way that allows connections to be segmented or severed instantaneously to + prevent contagion arising from cyber attacks. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node278 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3 + name: Crisis communication and responsible disclosure + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-37 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node278 + ref_id: 2.5.2.3-37 + description: The FMI should identify and determine staff who are essential for + mitigating the risk of a cyber incident, and make them aware of their roles + and responsibilities regarding incident escalation. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-38 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node278 + ref_id: 2.5.2.3-38 + description: The FMI's incident response plan should identify the internal and + external stakeholders that must be notified, as well as the information that + has to be shared and reported, and when this should take place. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-39 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node278 + ref_id: 2.5.2.3-39 + description: The FMI should establish criteria and procedures for escalating + cyber incidents or vulnerabilities to the Board and senior management based + on the potential impact and criticality of the risk. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-40 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node278 + ref_id: 2.5.2.3-40 + description: The FMI should have a communication plan and procedures in place + to notify, as required or necessary, all relevant internal and external stakeholders + (including oversight, regulatory authorities, media and customers) in a timely + manner, when the institution becomes aware of a cyber incident. The FMI should + notify the appropriate internal and external stakeholders when a cyber incident + occurs. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-41 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node278 + ref_id: 2.5.2.3-41 + description: The FMI should have a policy and procedures to enable potential + vulnerabilities to be disclosed responsibly. In particular, the FMI should + prioritise disclosures that could help stakeholders to respond promptly and + mitigate risk, which could benefit the ecosystem and broader financial stability. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-42 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node278 + ref_id: 2.5.2.3-42 + description: The FMI should establish and regularly review information-sharing + rules, agreements and modalities in order to control the publication and distribution + of such information, and to prevent sensitive information that may have adverse + consequences if disclosed improperly from being disseminated. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-43 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node278 + ref_id: 2.5.2.3-43 + description: After developing a range of cyber incident scenarios based on the + incident criteria established in the evolving level, the FMI should develop + appropriate incident response and communication plans and procedures to address + the scenarios. These incident response and communication plans and procedures + should take into consideration the legal and regulatory reporting requirements + at a jurisdictional level. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.3-44 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node278 + ref_id: 2.5.2.3-44 + description: The FMI should develop mechanisms that instantaneously notify its + senior management, relevant employees and relevant stakeholders (including + oversight and regulatory authorities) of cyber incidents through appropriate + communication channels with tracking and verification of receipt. Such mechanisms + should be based on predefined criteria and informed by scenario-based planning + and analysis, as well as prior experience. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2 + ref_id: 2.5.2.4 + name: Forensic readiness + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4-45 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + ref_id: 2.5.2.4-45 + description: The FMI should identify the threat scenarios that might have a + potential impact on its business and determine which pieces of digital evidence + (e.g. types of logs) should be collected to facilitate forensic investigation. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4-46 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + ref_id: 2.5.2.4-46 + description: The FMI should identify and document the digital evidence available + on its systems and its location, and understand how the evidence should be + handled throughout its life cycle. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4-47 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + ref_id: 2.5.2.4-47 + description: Based on Expectations 45 and 46, the FMI should develop and implement + a forensic readiness policy and the capability to support forensic investigation, + which also outlines the relevant system logging policies that include the + types of logs to be maintained and their retention periods. The FMI may outsource + the conduct of forensic investigations to external specialists. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4-48 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + ref_id: 2.5.2.4-48 + description: The FMI should establish procedures for securely collecting digital + evidence in a forensically acceptable manner and in accordance with the requirements + defined in the forensic readiness policy, taking into account the requirements + of the local jurisdiction. These procedures should describe how investigative + staff should produce step-by-step documentation of all activities performed + on digital evidence and their impact. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4-49 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + ref_id: 2.5.2.4-49 + description: "The FMI should establish policies for securely handling and storing\ + \ the collected digital evidence, ensuring its authenticity and integrity.\ + \ The FMI should develop procedures to demonstrate that the evidence\u2019\ + s integrity is preserved whenever it is accessed, used or moved (i.e. chain\ + \ of custody)." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4-50 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + ref_id: 2.5.2.4-50 + description: The FMI should train its staff so that all those involved in an + incident understand their responsibilities related to handling the digital + evidence, ensuring it is not compromised and remains valid as per the requirements + of the local jurisdiction. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4-51 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + ref_id: 2.5.2.4-51 + description: The FMI should ensure that staff specifically involved in the forensic + investigation have the appropriate degree of competence in handling the digital + evidence, ensuring its authenticity and integrity is not compromised and remains + valid as per the requirements of the local jurisdiction. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4-52 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + ref_id: 2.5.2.4-52 + description: The FMI should closely integrate plans for forensic readiness with + plans for incident management and other related business planning activities. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4-53 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + ref_id: 2.5.2.4-53 + description: The FMI should have a management review process that improves forensic + readiness plans in accordance with experience and new knowledge. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4-54 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.5.2.4 + ref_id: 2.5.2.4-54 + description: The FMI should take an open and collaborative approach with the + ecosystem to improve lawful forensic investigation and incident handling methodologies + and tools. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2 + ref_id: '2.6' + name: Testing + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6 + ref_id: 2.6.1 + name: Preamble + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node300 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.1 + description: "Testing is an integral component of any cyber resilience framework.\ + \ All elements of a cyber resilience framework should be rigorously tested\ + \ to determine their overall effectiveness before being deployed within an\ + \ FMI, and regularly thereafter. This includes the extent to which the framework\ + \ is implemented correctly, operating as intended and producing desired outcomes.\ + \ Understanding the overall effectiveness of the cyber resilience framework\ + \ in the FMI and its environment is essential in determining the residual\ + \ cyber risk to the FMI\u2019s operations, assets, and ecosystem." + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node301 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.1 + description: "Sound testing regimes produce findings that are used to identify\ + \ gaps in stated resilience objectives and provide credible and meaningful\ + \ inputs to the FMI\u2019s cyber risk management process. Analysis of testing\ + \ results provides direction on how to correct weaknesses or deficiencies\ + \ in the cyber resilience posture and reduce or eliminate identified gaps.\ + \ This chapter provides guidance on areas that should be included in an FMI\u2019\ + s testing and how results from testing can be used to improve the FMI\u2019\ + s cyber resilience posture on an ongoing basis. The scope of testing for the\ + \ purpose of this guidance includes vulnerability assessments, scenario-based\ + \ testing, penetration tests and tests using red teams." + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6 + ref_id: 2.6.2 + name: Expectations + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node303 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'General:' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node303 + ref_id: 2.6.2-1 + description: The FMI should establish and maintain a comprehensive testing programme + as an integral part of its cyber resilience framework. The testing programme + should consist of a broad spectrum of methodologies, practices and tools for + monitoring, assessing and evaluating the effectiveness of the core components + of the cyber resilience framework. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node303 + ref_id: 2.6.2-2 + description: The FMI should adopt a risk-based approach in developing the comprehensive + testing programme. This should be reviewed and updated on a regular basis + taking into due account the evolving landscape of threats and the criticality + of information assets. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node303 + ref_id: 2.6.2-3 + description: The FMI should develop appropriate capabilities and involve, if + deemed necessary, all relevant internal stakeholders (including business lines + and operational units) when implementing its testing programme. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node303 + ref_id: 2.6.2-4 + description: The FMI should ensure that the tests are undertaken by independent + parties, whether internal or external. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node303 + ref_id: 2.6.2-5 + description: For continuous improvement of its cyber resilience posture, the + FMI should establish policies and procedures to prioritise and remedy issues + identified from the various tests and perform subsequent validation to assess + whether gaps have been fully addressed. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node303 + ref_id: 2.6.2-6 + description: "The FMI\u2019s Board and senior management should incorporate\ + \ lessons learned from the test results." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node303 + ref_id: 2.6.2-7 + description: The FMI should test critical systems, applications and data recovery + plans at least annually. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node303 + ref_id: 2.6.2-8 + description: The FMI should test response, resumption and recovery plans, including + governance and coordination, and crisis communication arrangements and practices, + at least annually. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node303 + ref_id: 2.6.2-9 + description: The FMI should test the information backups periodically to verify + they are accessible and readable. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node313 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'Vulnerability assessments:' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node313 + ref_id: 2.6.2-10 + description: The FMI should develop a documented and regularly updated vulnerability + management process in order to classify, prioritise and remedy potential weaknesses + identified in vulnerability assessments and perform subsequent validation + to assess whether gaps have been fully addressed. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node313 + ref_id: 2.6.2-11 + description: "The FMI\u2019s vulnerability management process should help any\ + \ type of exploitable weakness to be identified (technical, processual, organisational\ + \ and emergent) in the critical functions, their supporting processes and\ + \ information assets where they reside." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node313 + ref_id: 2.6.2-12 + description: The FMI should conduct vulnerability scanning for their external-facing + services and the internal systems and networks on a regular basis. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node313 + ref_id: 2.6.2-13 + description: The FMI should perform vulnerability assessments before any deployment + or redeployment of new or existing services supporting critical functions, + applications and infrastructure components for fixing bugs and weaknesses, + consistently with change and release management processes in place. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node313 + ref_id: 2.6.2-14 + description: The FMI should periodically conduct vulnerability assessments on + running services, applications and infrastructure components for compliance + checks against regulations, policy and configurations, as well as for monitoring + and evaluating the effectiveness of security controls to address the identified + vulnerabilities. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node319 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'Scenario-based testing:' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node319 + ref_id: 2.6.2-15 + description: The FMI should perform different scenario-based tests, including + extreme but plausible scenarios, to evaluate and improve its incident detection + capability, as well as response, resumption and recovery plans. Scenario-based + tests can take the form of desktop exercises or simulations. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node319 + ref_id: 2.6.2-16 + description: "The FMI\u2019s Board and senior management should be engaged in\ + \ the scenario-based test, when appropriate." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node319 + ref_id: 2.6.2-17 + description: "To improve the FMI\u2019s staff awareness and enhance the risk\ + \ culture within the organisation, the scenario-based tests should include\ + \ social engineering and phishing simulation." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-18 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node319 + ref_id: 2.6.2-18 + description: The FMI should test of the extent to which internal skills, processes + and procedures can adequately respond to extreme but plausible scenarios, + with a view to achieving stronger operational resilience. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node324 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'Penetration tests:' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node324 + ref_id: 2.6.2-19 + description: The FMI should conduct penetration tests on their external-facing + services and the internal systems and networks to identify vulnerabilities + in the adopted technology, organisation and operations regularly, or at least + on an annual basis. Penetration tests should be conducted using a risk-based + approach and, at the very least, in cases of major changes and new system + deployment. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node324 + ref_id: 2.6.2-20 + description: 'The FMI should perform penetration tests, engaging all critical + internal and external stakeholders in the penetration testing exercises: system + owners, business continuity, and incident and crisis response teams.' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node327 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'General:' + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node327 + ref_id: 2.6.2-21 + description: The FMI should include testing practices as an integrated part + of its enterprise risk management process with the aim of identifying, analysing + and fixing cybersecurity vulnerabilities stemming from new products, services + or interconnections. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node327 + ref_id: 2.6.2-22 + description: "The FMI should develop capabilities to seek, analyse and use cyber\ + \ threat intelligence to help inform and update its testing programme to ensure\ + \ it is in line with the latest threat landscape, attackers\u2019 modus operandi\ + \ and vulnerabilities." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node327 + ref_id: 2.6.2-23 + description: The FMI should adopt best practices and automated tools to support + the processes and procedures in place to fix technical and organisational + weaknesses identified during the testing exercises and to check for compliance + with approved policy and configurations. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node327 + ref_id: 2.6.2-24 + description: The FMI should perform security assessments and tests when applicable + at all phases of the SDLC and at any level (business, application and technology) + for the entire application portfolio, including mobile applications. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node332 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'Vulnerability assessments:' + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-25 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node332 + ref_id: 2.6.2-25 + description: The FMI should perform vulnerability scanning on an ongoing basis, + rotating among environments in order to scan all environments throughout the + year. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node334 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'Scenario-based testing:' + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node334 + ref_id: 2.6.2-26 + description: The FMI should test its response, resumption and recovery plans + against cyber attack scenarios which include data destruction, data integrity + corruption, data loss, and system and data availability. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node334 + ref_id: 2.6.2-27 + description: The FMI should use cybersecurity incident scenarios involving significant + financial loss, as part of its stress testing process, to better understand + potential spillovers and risk to its business model. The FMI should use such + stress tests to further improve its risk management framework. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node337 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'Penetration tests:' + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node337 + ref_id: 2.6.2-28 + description: The FMI should design and perform penetration tests to simulate + realistic attack techniques on systems, networks, applications and procedures. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node339 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'Red team testing:' + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-29 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node339 + ref_id: 2.6.2-29 + description: "The FMI should conduct red team exercises to test critical functions\ + \ for possible vulnerabilities and the effectiveness of an FMI\u2019s mitigating\ + \ controls, including its people, processes and technology." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node339 + ref_id: 2.6.2-30 + description: The FMI should perform red team exercises using reliable and valuable + cyber threat intelligence, based on specific and plausible threat scenarios. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node339 + ref_id: 2.6.2-31 + description: The FMI should conduct independent red team exercises, utilising + regulatory and industry frameworks (e.g. the European Framework for Threat-Intelligence + Based Ethical Red teaming (TIBER-EU Framework)8). + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-32 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node339 + ref_id: 2.6.2-32 + description: The FMI should build its internal processes and capabilities to + prepare for undertaking the independent red team exercise (e.g. establishing + an internal white team, developing incident escalation procedures, following + appropriate methodologies and establishing robust risk management controls), + as set out in the TIBER-EU Framework, for example. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node344 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'General:' + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-33 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node344 + ref_id: 2.6.2-33 + description: The FMI should develop, monitor and analyse metrics to assess the + performance and effectiveness of its testing programme. The FMI should use + the analysis conducted to further improve its testing programme. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node344 + ref_id: 2.6.2-34 + description: The FMI should regularly conduct tests in collaboration with its + peers, participants and third parties. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node344 + ref_id: 2.6.2-35 + description: "The FMI should proactively engage in industry-wide exercises in\ + \ order to test cooperation and coordination protocols and communication plans.\ + \ These exercises should foster the FMI\u2019s awareness on cross-sector cooperation\ + \ and third-party risks." + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-36 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node344 + ref_id: 2.6.2-36 + description: The FMI should promote and participate in cross-sector cyber testing + exercises to assess the soundness and security of its value chain as a whole. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-37 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node344 + ref_id: 2.6.2-37 + description: The FMI should test the cooperation arrangements in place with + relevant external entities at least annually (e.g. third-party security service + providers, law enforcement agencies, computer emergency response teams (CERTs) + or information sharing and analysis centres (ISACs), etc.) in order to validate + their effectiveness. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-38 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node344 + ref_id: 2.6.2-38 + description: The FMI should consider discussing relevant test conclusions with + other stakeholders to boost the cyber resilience of its ecosystem and the + financial sector as a whole, as far as possible and under specific information-sharing + arrangements. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node351 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'Vulnerability assessments:' + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-39 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node351 + ref_id: 2.6.2-39 + description: The FMI should develop and adopt a range of effective practices + and tools (e.g. a Bug Bounty programme and static and dynamic code reviews, + etc.) as part of its vulnerability management process, and have appropriate + safeguards in place to manage them. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node353 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'Scenario-based testing:' + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node353 + ref_id: 2.6.2-40 + description: "The FMI should conduct scenario-based tests that cover breaches\ + \ affecting multiple portions of the FMI's ecosystem in order to identify\ + \ and analyse potential complexities, interdependencies and possible contagion\ + \ both at business and operational level which should be taken into account\ + \ in the FMI\u2019s cyber resilience framework." + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-41 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node353 + ref_id: 2.6.2-41 + description: "The FMI should collaborate with the ecosystem to develop cybersecurity\ + \ incident scenarios involving significant financial loss and use them for\ + \ stress tests to better understand potential spillovers and contagion risk\ + \ to the ecosystem. The FMI should use such stress tests to further improve\ + \ its cyber resilience posture, which contributes to improving the ecosystem\u2019\ + s resilience as a whole." + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node356 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2 + name: 'Red team testing:' + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.6.2-42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:node356 + ref_id: 2.6.2-42 + description: "In addition to periodic independent and external red team exercises,\ + \ the FMI should develop an internal red team capability with the appropriate\ + \ methodologies, sophisticated tools and appropriately skilled staff. The\ + \ internal red team should regularly conduct red team exercises and engage\ + \ with the internal blue team to share its findings and make improvements\ + \ to the FMI\u2019s cyber resilience posture." + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2 + ref_id: '2.7' + name: Situational awareness + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7 + ref_id: 2.7.1 + name: Preamble + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node360 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.1 + description: "Situational awareness refers to an FMI\u2019s understanding of\ + \ the cyber threat environment within which it operates, and the implications\ + \ of being in that environment for its business and the adequacy of its cyber\ + \ risk mitigation measures. Strong situational awareness, acquired through\ + \ an effective cyber threat intelligence process can make a significant difference\ + \ in the FMI\u2019s ability to pre-empt cyber events or respond rapidly and\ + \ effectively to them. Specifically, a keen appreciation of the threat landscape\ + \ can help an FMI better understand the vulnerabilities in its critical business\ + \ functions, and facilitate the adoption of appropriate risk mitigation strategies.\ + \ It can also enable an FMI to validate its strategic direction, resource\ + \ allocation, processes, procedures and controls with respect to building\ + \ its cyber resilience. A key means of achieving situational awareness for\ + \ an FMI and its ecosystem is an FMI\u2019s active participation in information-sharing\ + \ arrangements and collaboration with trusted stakeholders within and outside\ + \ the industry. This chapter provides guidance for FMIs to establish a cyber\ + \ threat intelligence process, analysis and sharing processes." + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7 + ref_id: 2.7.2 + name: Expectations + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2 + ref_id: 2.7.2.1 + name: Cyber threat intelligence + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-1 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-1 + description: The FMI should identify cyber threats that could materially affect + its ability to perform or provide services as expected, or that could have + a significant impact on its ability to meet its own obligations or have knock-on + effects within its ecosystem. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-2 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-2 + description: The FMI should have capabilities in place to gather cyber threat + information from internal and external sources (e.g. application, system and + network logs; security products such as firewalls and IDSs; trusted threat + intelligence providers; and publicly available information). + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-3 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-3 + description: "The FMI should belong or subscribe to a threat and vulnerability\ + \ information-sharing source and/or ISAC that provides information on cyber\ + \ threats and vulnerabilities. Cyber threat information gathered by the FMI\ + \ should include analysis of tactics, techniques and procedures (TTPs) of\ + \ real-life attackers, their modus operandi and information on geopolitical\ + \ developments that may trigger cyber attacks on any entity within the FMI\u2019\ + s ecosystem." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-4 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-4 + description: 'The FMI should have the capabilities to analyse the cyber threat + information gathered from different sources, while taking into account the + business and technical characteristics of the FMI, in order to:' + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-4.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-4 + ref_id: 2.7.2.1-4.a + description: determine the motivation and capabilities of threat actors (including + their TTPs) and the extent to which the FMI is at risk of a targeted attack + from them; + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-4.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-4 + ref_id: 2.7.2.1-4.b + description: assess the risk of technical vulnerabilities in operating systems, + applications and other software, which could be exploited to perform attacks + on the FMI; + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-4.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-4 + ref_id: 2.7.2.1-4.c + description: analyse cybersecurity incidents experienced by other organisations + (where available), including types of incident and origin of attacks, target + of attacks, preceding threat events and frequency of occurrence, and determine + the potential risk these pose to the FMI. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-5 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-5 + description: The FMI should analyse the information gathered above to produce + relevant cyber threat intelligence, and continuously use it to assess and + manage security threats and vulnerabilities for the purpose of implementing + appropriate cybersecurity controls in its systems and, on a more general level, + enhancing its cyber resilience framework and capabilities on an ongoing basis. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-6 + description: The FMI should ensure that the gathering and analysis of cyber + threat information and the production of cyber threat intelligence are reviewed + and updated regularly. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-7 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-7 + description: The FMI should ensure that cyber threat intelligence is made available + to appropriate staff who are responsible for mitigating cyber risks at the + strategic, tactical and operational levels within the FMI. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-8 + description: The FMI should incorporate lessons learned from its analysis of + the cyber threat information into the employee training and awareness programmes. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-9 + description: The FMI should continuously use its cyber threat intelligence to + anticipate, as much as possible, a cyber attacker's capabilities, intentions + and modus operandi, and subsequently possible future attacks. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-10 + description: 'The FMI should develop a cyber threat risk dashboard9, which uses + the cyber threat information and intelligence to outline, among other things:' + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10.a + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10 + ref_id: 2.7.2.1-10.a + description: the most likely threat actors for the FMI; + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10.b + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10 + ref_id: 2.7.2.1-10.b + description: the TTPs that may be used by such threat actors; + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10.c + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10 + ref_id: 2.7.2.1-10.c + description: the likely vulnerabilities that may be exploited by such threat + actors; + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10.d + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10 + ref_id: 2.7.2.1-10.d + description: "the likelihood of attack from such threat actors and the impact\ + \ on the confidentiality, integrity and availability of the FMI\u2019s business\ + \ processes and its reputation that could arise from such attacks;" + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10.e + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10 + ref_id: 2.7.2.1-10.e + description: the impact of attacks already conducted by such threat actors on + the ecosystem; + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10.f + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-10 + ref_id: 2.7.2.1-10.f + description: the risk mitigation measures in place to manage a potential attack. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-11 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-11 + description: The cyber threat risk dashboard should be continuously reviewed + and updated in the light of new threats and vulnerabilities and discussed + by the Board and senior management. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-12 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-12 + description: The FMI should include in its threat analysis those threats which + could trigger extreme but plausible cyber events, even if they are considered + unlikely to occur or have never occurred in the past. The FMI should review + and update this analysis regularly. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-13 + description: "The FMI should ensure that the scope of cyber threat intelligence\ + \ gathering includes the capability to gather and interpret information about\ + \ relevant cyber threats arising from the FMI\u2019s participants, service\ + \ and utility providers and other FMIs, and to interpret this information\ + \ in ways that allow the FMI to identify, assess and manage security threats\ + \ and vulnerabilities for the purpose of implementing appropriate safeguards\ + \ in its systems." + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1-14 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.1 + ref_id: 2.7.2.1-14 + description: The FMI should integrate and align its cyber threat intelligence + process with its SOC. The FMI should use information gathered from its SOC + to further enhance its cyber threat intelligence; and conversely, use its + cyber threat intelligence to inform its SOC. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2 + ref_id: 2.7.2.2 + name: Information sharing + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2-15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + ref_id: 2.7.2.2-15 + description: The FMI should define the goals and objectives of information sharing, + in line with its business objectives and cyber resilience framework. At the + very least, the objectives should include collecting and exchanging information + in a timely manner that could facilitate the detection, response, resumption + and recovery of its own systems and those of other sector participants during + and following a cyber attack. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2-16 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + ref_id: 2.7.2.2-16 + description: "The FMI should define the scope of information-sharing activities\ + \ by identifying the types of information available to be shared (e.g. attackers\u2019\ + \ modus operandi, indicators of compromise, and threats and vulnerabilities,\ + \ etc.), the circumstances under which sharing this information is permitted\ + \ (e.g. in the case of a cyber incident), those with whom the information\ + \ can and should be shared (e.g. the FMI\u2019s direct stakeholders such as\ + \ critical service providers, participants and other interconnected FMIs,\ + \ etc.), and how information provided to the FMI and other sector participants\ + \ will be acted upon." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2-17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + ref_id: 2.7.2.2-17 + description: The FMI should establish and regularly review the information-sharing + rules and agreements and implement procedures that allow information to be + shared promptly and in line with the objectives and scope established above, + while at the same time meeting its obligations to protect potentially sensitive + data that may have adverse consequences if disclosed improperly. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2-18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + ref_id: 2.7.2.2-18 + description: The FMI should establish trusted and safe channels of communication + with its direct stakeholders for exchanging information. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2-19 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + ref_id: 2.7.2.2-19 + description: "The FMI should have in place a process to access and share information\ + \ with external stakeholders in a timely manner, such as regulators, law enforcement\ + \ or other organisations within the FMI\u2019s ecosystem." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2-20 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + ref_id: 2.7.2.2-20 + description: The FMI should participate actively in existing information-sharing + groups and facilities, including cross-industry, cross-government and cross-border + groups to gather, distribute and assess information about cyber practices, + cyber threats and early warning indicators relating to cyber threats. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2-21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + ref_id: 2.7.2.2-21 + description: The FMI should establish and implement protocols for sharing information + relating to threats, vulnerabilities and cyber incidents with employees, based + on their specific roles and responsibilities. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2-22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + ref_id: 2.7.2.2-22 + description: "The FMI should share information with relevant stakeholders in\ + \ the ecosystem to achieve broader cyber resilience situational awareness,\ + \ including promoting an understanding of each other\u2019s approach to achieving\ + \ cyber resilience." + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2-23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + ref_id: 2.7.2.2-23 + description: The FMI should make use of threat intelligence capabilities that + provide internal and external threat and vulnerability information, analyse + this information, and disseminate it to the relevant stakeholders in the ecosystem + promptly, so as to help stakeholders to respond quickly and mitigate risks. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2-24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.7.2.2 + ref_id: 2.7.2.2-24 + description: The FMI should participate in efforts to identify the gaps in current + information-sharing mechanisms and seek to address them, in order to facilitate + a sector-wide response to large-scale incidents. + implementation_groups: + - INNOVATING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2 + ref_id: '2.8' + name: Learning and evolving + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8 + ref_id: 2.8.1 + name: Preamble + - urn: urn:intuitem:risk:req_node:croe-for-fmi:node399 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.1 + description: "An FMI\u2019s cyber resilience framework needs to achieve continuous\ + \ cyber resilience amid a changing threat environment. To be effective in\ + \ keeping pace with the rapid evolution of cyber threats, an FMI should implement\ + \ an adaptive cyber resilience framework that evolves with the dynamic nature\ + \ of cyber risks and allows the FMI to identify, assess and manage security\ + \ threats and vulnerabilities for the purpose of implementing appropriate\ + \ safeguards into its systems. An FMI should aim to instil a culture of cyber\ + \ risk awareness whereby its resilience posture, at every level, is regularly\ + \ and frequently re-evaluated." + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8 + ref_id: 2.8.2 + name: Expectations + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1 + name: Cyber threat intelligence + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-1 + description: The FMI should have capabilities in place to gather information + on common vulnerabilities, cyber threats, events and incidents occurring both + within and outside the FMI. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-2 + description: The FMI should have the capabilities to analyse the information + gathered and assess the potential impact on its cyber resilience framework. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-3 + description: "The FMI should distil and classify the lessons learned (e.g. strategic,\ + \ tactical and operational), identify the key stakeholders to whom these apply,\ + \ incorporate them to improve the FMI\u2019s cyber resilience framework and\ + \ capabilities, and convey them to each relevant stakeholder on an ongoing\ + \ basis." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-4 + description: Senior management should ensure that it has a programme for continuing + cyber resilience training and skills development for all staff. This training + programme should include the Board members and senior management and should + be conducted at least annually. The annual cyber resilience training should + include incident response, current cyber threats (e.g. phishing, spear phishing, + social engineering and mobile security) and emerging issues. The FMI should + ensure that the training programme equips staff to deal with cyber incidents, + including how to report unusual activity. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-5 + description: The FMI should ensure that cybersecurity awareness materials are + made available to staff when prompted by highly visible cyber events or by + regulatory alerts. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-6 + description: The FMI should incorporate lessons learned into the staff training, + awareness programmes and materials, on an ongoing and dynamic basis. The FMI + should utilise industry and authority initiatives related to awareness and + training, where possible. + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-7 + description: "The FMI should set a range of indicators and develop management\ + \ information to measure and monitor the effective implementation of the cyber\ + \ resilience strategy and framework on a regular basis and its evolution over\ + \ time. For example, relevant information and indicators could be: the percentage\ + \ of the FMI\u2019s staff that have received cybersecurity training; the percentage\ + \ of incidents reported within the required timeframe per applicable incident\ + \ category; the percentage of vulnerabilities mitigated within a defined time\ + \ period after discovery; and yearly reports monitoring progress of indicators,\ + \ etc." + implementation_groups: + - EVOLVING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-8 + description: The FMI should validate the effectiveness of incorporating lessons + learned into the employee training and awareness programmes on a regular basis. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-9 + description: An FMI should actively monitor technological developments and keep + abreast of new cyber risk management processes that could effectively counter + existing and newly developed forms of cyber attack. An FMI should consider + acquiring such technology and know-how to maintain its cyber resilience. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-10 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-10 + description: The FMI should analyse and correlate findings from audits, management + information, incidents, near misses, tests (e.g. vulnerability assessment, + penetration testing and red team testing, etc.), exercises and external and + internal intelligence in order to enhance and improve its cyber resilience + capabilities. An internal cross-disciplinary steering committee could drive + this activity. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-11 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-11 + description: The FMI should incorporate lessons learned from real-life cyber + events and/or from testing results on the FMI and/or other organisations, + to improve the its risk mitigation capabilities, as well as its cyber contingency, + response, resumption and recovery plans. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-12 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-12 + description: The FMI should continuously track its progress in developing its + cyber resilience capabilities from a current state to a defined future state. + A maturity model can assist the FMI in documenting this progress. + implementation_groups: + - ADVANCING + - urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2.1-13 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:croe-for-fmi:2.8.2 + ref_id: 2.8.2.1-13 + description: The FMI should have capabilities in place to use multiple sources + of intelligence, correlated log analysis, alerts, traffic flows, cyber events + across other sectors and geopolitical events to better understand the evolving + threat landscape and proactively take the appropriate measures to improve + its cyber resilience capabilities. + implementation_groups: + - INNOVATING diff --git a/tools/CROE-FOR-FMI/CROE-for-FMI.xlsx b/tools/CROE-FOR-FMI/CROE-for-FMI.xlsx new file mode 100644 index 000000000..2f313b33d Binary files /dev/null and b/tools/CROE-FOR-FMI/CROE-for-FMI.xlsx differ